dvips is a utility that converts DVI documents to PostScript. It is an optional component of the TeTeX text formatting package. When installed on a system where LPRnG and TeTeX are in use, 'dvips' will be invoked by 'lpd' when a DVI document is to be printed if a printfilter exists for it. On some systems, 'dvips' is not invoked in a safe manner. As a result, it may be possible for remote attackers to execute commands through certain DVI directives on vulnerable systems through 'lpd'. It should be noted that this vulnerability is only due to the configuration of the DVI printfilter on some systems. There is no specific vulnerability in lpd, dvips or any other executable component. It is simply an error in the default configuration present on some systems. It has been reported that Red Hat 7.0 is vulnerable with the default configuration installed with the RPM packages.
The 'piomkapqd' utility is a component of the AIX printing subsystem. By default, it is installed setgid and owned by the 'printk' group. 'piomkapqd' contains a locally exploitable stack overrun condition in it's handling of command line parameters. Local users may be able to gain group 'printk' privileges if this vulnerability is exploited. It may be possible to elevate to root from this point by exploiting vulnerabilities in other components of the printing subsystem.
CBOS is the Cisco Broadband Operating System, firmware designed for use on Cisco 600 series routers. It becomes unstable when it receives multiple TCP connections on one of the two administrative ports; 21 via telnet, or 80 via HTTP. Upon receiving multiple connections on one of these two ports, the 600 series router becomes incapable of configuration, requiring reboot to resume normal operation.
UltraEdit is a multi-featured commercial text editor with support for HTML, C/C++, VB, Java, Perl, XML, and C#. It also includes a hex editor and a small FTP client. UltraEdit's FTP client has a feature which will remember FTP passwords for later use. When passwords are remembered they will be stored on the system using an 'admittedly' weak encryption algorithm. As a result, it is a fairly trivial task to decrypt the passwords for FTP accounts. Successful exploitation of this vulnerability will allow a local attacker to gain unauthorized access to the FTP sites used by other local users.
CuteFTP is a popular commercial FTP client for Microsoft Windows systems. CuteFTP v4.2(and possibly earlier versions) uses a weak system for encoding passwords for accounts on FTP sites. Passwords are stored in a file called 'sm.dat', and can be easily retrieved provided the site manager password has not been set. Successful exploitation of this vulnerability will allow a local attacker to gain unauthorized access to the FTP sites used by other local users. This piece of VB code will decode the passwords stored in sm.dat for the FTP accounts.
A problem has been discovered that can allow remote users to crash an AOLServer, denying service to legitimate users of the system. The problem is due to the handling of passwords. It is possible for a remote user to overflow a buffer within the AOLServer process by sending a password of 2048 bytes. This could result in the overwriting of stack variables, including the return address. This makes it possible for a remote user to execute arbitrary code with the privileges of the AOLServer process, and potentially gain local access.
A problem has been discovered that can allow remote users to crash an AOLServer, denying service to legitimate users of the system. The problem is due to the handling of passwords. It is possible for a remote user to overflow a buffer within the AOLServer process by sending a password of 2048 bytes. This could result in the overwriting of stack variables, including the return address, making it possible for a remote user to execute arbitrary code with the privileges of the AOLServer process, and potentially gain local access.
Respondus is an application designed to add functionality to WebCT's quiz, self-test and survey tools. When a user opts to have Respondus remember the username/password for WebCT access, the information is saved encrypted in a file called 'WEBCT.SRV'. The encrypted value of the username and password are converted to their ASCII values and added to a constant. A hex editor can be used to compare differences between the file before credentials are saved with the version of the file after credentials are saved. The values of the username/password are determined by subtracting the constants in 'WEBCT.SRV' prior to saving the credentials from the new values. Successful exploitation of this issue will allow the attacker to access other WebCT accounts, which may lead to elevated privileges or the disclosure of sensitive information.
It has been reported that there is a locally exploitable vulnerability in BSDI. It is allegedly possible for a userland process to cause the kernel to halt. This may be due to a bad system call.
Intego FileGuard is a commercial access control utility for Mac OS versions 7-9.1. It's functionality includes the ability to enforce privileges, log activities, manage user accounts, restrict access by time, etc. However, a vulnerability exists which allows a local user to circumvent those controls and elevate privileges. A weak algorithm is used to encrypt the stored passwords. mSec has released a tool called Disengage which will attempt to decrypt passwords, provided circumstances exist which allow Disengage to work. Passwords for Intego DiskGuard may also be decrypted in this manner.
Services By CQR